Jamf Protect - Alerts
| Id | 6098daa0-f05e-44d5-b5a0-913e63ba3179 |
| Rulename | Jamf Protect - Alerts |
| Description | Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel |
| Severity | High |
| Required data connectors | JamfProtect |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml |
| Version | 1.0.6 |
| Arm template | 6098daa0-f05e-44d5-b5a0-913e63ba3179.json |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
severity: High
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
enabled: false
matchingMethod: AllEntities
reopenClosedIncident: false
entityMappings:
- fieldMappings:
- columnName: DvcHostname
identifier: HostName
- columnName: DvcOs
identifier: OSFamily
- columnName: DvcOsVersion
identifier: OSVersion
entityType: Host
- fieldMappings:
- columnName: Host_IPs
identifier: Address
entityType: IP
- fieldMappings:
- columnName: TargetProcessCurrentDirectory
identifier: CommandLine
- columnName: TargetProcessId
identifier: ProcessId
entityType: Process
- fieldMappings:
- columnName: algorithm
identifier: Algorithm
- columnName: TargetBinarySHA256
identifier: Value
entityType: FileHash
status: Available
customDetails:
Protect_Event_Type: EventType
Related_Binaries: TargetBinaryFilePath
JamfPro_Status: JamfPro
Protect_Analytic: EventMessage
TargetbinarySign: TargetbinarySignerType
TargetBinarySigner: TargetBinarySigningTeamID
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Protect_Tags: Tags
Related_File_hash: TargetBinarySHA256
relevantTechniques:
name: Jamf Protect - Alerts
kind: NRT
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
version: 1.0.6
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotectalerts_CL
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: Techniques
value: Techniques
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertTacticsColumnName: Tactics
suppressionDuration: PT5H
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
tactics:
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
suppressionEnabled: false
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
"alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
"alertDynamicProperties": [
{
"alertProperty": "ProviderName",
"value": "EventVendor"
},
{
"alertProperty": "ProductName",
"value": "EventProduct"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
}
],
"alertSeverityColumnName": "EventSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
"customDetails": {
"JamfPro_Status": "JamfPro",
"Protect_Analytic": "EventMessage",
"Protect_Event_Type": "EventType",
"Protect_Tags": "Tags",
"Related_Binaries": "TargetBinaryFilePath",
"Related_File_hash": "TargetBinarySHA256",
"TargetbinarySign": "TargetbinarySignerType",
"TargetBinarySigner": "TargetBinarySigningTeamID",
"TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
},
"description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
"displayName": "Jamf Protect - Alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcOs",
"identifier": "OSFamily"
},
{
"columnName": "DvcOsVersion",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "Host_IPs",
"identifier": "Address"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "TargetProcessCurrentDirectory",
"identifier": "CommandLine"
},
{
"columnName": "TargetProcessId",
"identifier": "ProcessId"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "algorithm",
"identifier": "Algorithm"
},
{
"columnName": "TargetBinarySHA256",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
"query": "jamfprotectalerts_CL\n| extend\n algorithm = \"SHA256\",\n Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"templateVersion": "1.0.6"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}